From 6acb25e30953aa969a4bfecc4e1de80c25d1fda5 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 20 Dec 2021 22:20:09 -0600
Subject: [PATCH] nextcloud: Trust headers from public rev proxy

If Nextcloud does not have the Internet-facing reverse proxy listed in
its "trusted proxies" setting, it will mark all traffic as being from
the proxy itself.  This breaks brute force detection, etc.
---
 group_vars/nextcloud.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/group_vars/nextcloud.yml b/group_vars/nextcloud.yml
index 7fd24a4..8e5416a 100644
--- a/group_vars/nextcloud.yml
+++ b/group_vars/nextcloud.yml
@@ -9,6 +9,7 @@ pg_hba_extra:
 nextcloud_trusted_proxies:
 - 127.0.0.1
 - ::1
+- '{{ lookup("dig", groups["public-web"][0]) }}'
 nextcloud_trusted_domains:
 - nextcloud.pyrocufflink.net
 - nextcloud.pyrocufflink.blue